valak | 3769a84dbe7ba74ad7b0b355a864483d3562888a67806082ff094a56ce73bf7e

Analysis

max time kernel
136s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 07:54

Target

draw.dll
Size

304KB
MD5

78e05075e686397097de69fb0402263e
SHA1

f3e9e7f321deb1a3408053168a6a67c6cd70e114
SHA256

3769a84dbe7ba74ad7b0b355a864483d3562888a67806082ff094a56ce73bf7e
SHA512

746a430aaad88fa150e7709ed834834fe5d9483c2d92c4838cd26b6f4dad960480daae7dec2a66fb4023c2cbfc316f820f809a7e51a7425900b33fe425759f2b
SSDEEP

6144:qvcrjpzLkdo1R6HNX3/jllAbTlj1/BVICh:oaCduiNnHA/Be

Score

10^/10

valak Loader

Valak
Valak is a JavaScript loader, a link in a chain of distribution of other malware families.
Loader valak

Valak JavaScript Loader 1 IoCs

Processes:

resource	yara_rule
C:\Users\Public\iVIwVADQD.eLxan	valak_js

Valak JavaScript loader 1 IoCs

Processes:

resource	yara_rule
C:\Users\Public\iVIwVADQD.eLxan	valak

Blocklisted process makes network request 2 IoCs

Processes:

wscript.exe

flow pid process

50 4240 wscript.exe
53 4240 wscript.exe

flow	pid	process
50	4240	wscript.exe
53	4240	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1656 wrote to memory of 4504	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 4504	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 4504	1656	rundll32.exe	rundll32.exe
PID 4504 wrote to memory of 4240	4504	rundll32.exe	wscript.exe
PID 4504 wrote to memory of 4240	4504	rundll32.exe	wscript.exe
PID 4504 wrote to memory of 4240	4504	rundll32.exe	wscript.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\draw.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\draw.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan
3⤵
- Blocklisted process makes network request
PID:4240

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4280

C:\Users\Public\iVIwVADQD.eLxan
Filesize
11KB

MD5
bc9ac467126926bfd2782428da6f1a09

SHA1
f9d6fbc917446025fb63cc622a117a11544ce34b

SHA256
0eab2d2538e95419e764bd23408ad7e0cb830b3df3e3e1a77c71af75e6184dd9

SHA512
f82193aa1551794f5fbaeb2f958cf00a2b43ea2f135be338425e677ad99b523bb6f3787348e3e714f23f9c037ad21a4925db9c40b432a5c4da460f46fed8a62c

Download Submit
memory/4240-137-0x0000000000000000-mapping.dmp

Download
memory/4504-132-0x0000000000000000-mapping.dmp

Download
memory/4504-134-0x0000000010000000-0x0000000010151000-memory.dmp

Filesize
1.3MB

Download
memory/4504-133-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4504-136-0x0000000010000000-0x0000000010151000-memory.dmp

Filesize
1.3MB

Download